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CRYPTOGR.*  PH1C  DIGITAL  COMMUNICATION 


INTRODUCTION 

There  are  many  ways  of  safeguarding  the  transmission  of  secret  information.  Cryp- 
tography is  employed  when  unauthorised  personnel  have  the  technical  capability  of  in- 
tercepting and  correctly  interpreting  a secret  message.  A cryptographic  analog  communi- 
cation system,  such  as  the  interchanging  of  frequencies  to  disguise  a voice  message,  usually 
requires  expensive  and  complicated  instrumentation.  Due  to  the  availability  of  the  digi- 
tal computer,  cryptographic  digital  communication  systems  are  more  readily  automated. 

Cryptographic  digital  communication  is  accomplished  in  two  ways.  Coding  consists 
of  the  substitution  of  groups  of  bits  of  variable  length  for  plaintext  groups  of  variable 
length.  Encipherment  consists  of  the  substitution  of  fixed-length  groups  of  bits  for  fixed- 
length  plaintext  groups.  In  general,  coding  is  too  slow  for  high-density  data  transmission. 
Another  disadvantage  is  the  technical  difficulty  entailed  in  the  frequent  code  changes  nec- 
essary for  secrecy.  For  these  reasons,  enciphering  systems,  which  provide  high-speed  cap- 
abilities and  are  easily  modified,  are  used  in  most  practical  cryptographic  digital 
communications. 

There  are  two  basic  types  of  encipherment  — the  stream  cipher  and  the  block 
cipher.  The  stream  cipher  is  bit-by-bit  encipherment  which  results  when  a binary  symbol 
is  added,  modulo  two,  to  each  bit  of  plaintext.  Hie  complete  set  of  binary  symbols  or 
the  rule  for  generating  it  is  called  the  key.  Deciphering  is  accomplished  by  adding  the 
key  to  the  corresponding  enciphered  bit.  The  more  random  the  key,  the  more  difficult 
it  is  for  a cryptanalyst  to  decipher  an  intercepted  cryptogram.  Algorithms  exist  for  gen- 
erating long  iMeydorandom  keys  from  taro  or  more  short  streams  of  digits.  However,  an 
algorithm  implies  a degree  of  regularity,  which  enhances  the  posaiMity  that  an  unauth- 
orised cryptanalyst  may  discern  the  pattern  and  duplicate  the  key  generator. 

A block  cipher  is  defined  as  the  convenion  of  m plain  bit*  simultaneously  into  n 
enciphered  bits.  Each  of  the  enciphered  bits  is  a function  of  all  of  the  plain  bits.  For 
unambiguous  deciphering,  it  is  necessary  that  n ^ m.  For  ease  of  automation,  it  is  pref- 
erable that  n - m.  Since  knowledge  of  the  convenion  of  one  block  of  bits  reveal*  little 
or  nothing  about  the  convenion  of  another  block,  the  Mock  cipher  can  be  made  secure 
by  employing  large  value*  of  n.  A practical  difficulty  is  the  large  number  of  wires  re- 
quired in  the  implementation  of  such  a cipher.  One  might  try  to  circumvent  this  problem 
by  employing  a Mock  cipher  which  merely  transposes  the  plain  bit*.  However,  the  sim- 
plicity of  form  of  such  an  enciphering  system  makes  it  vulnerable. 


Note:  Manuscript  submitted  April  !•,  1976. 
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Many  automatic  electronic  cryptographic  systems  use  a stream  cipher  which  incor- 
porates some  of  the  useful  aspects  of  the  block  cipher.  The  technique  is  to  use  a pseudo- 
random key  which  is  a function  of  the  plaintext  itself.  Thus  each  enciphered  bit  is  a 
function  of  many  preceding  plain  bits.  A drawback  of  this  system,  which  we  shall  call  a 
data-keyed  cipher,  is  that  a single  erroneous  bit  entering  the  deciphering  system  causes 
many  additional  bit  errors  down  the  line.  In  stream  ciphers  with  data-independent  keys, 
a single  error  is  confined  to  a single  position;  in  a block  cipher,  each  error  may  affect  any 
of  the  other  bits  of  the  block. 

To  consolidate  the  understanding  of  the  definitions,  they  shall  be  put  in  a more 
mathematical  form.  A block  cipher  is  defined  to  be  a rule  for  associating  with  each 
block  (Xj,  Xj+i,  •••  . xj+n ) of  plaintext,  a block  (yf,  y1+  j , ...  , y i+n)  of  cipher  text. 

Thus  we  can  write 


yk  = /*(*,-.  *141,  ...  , i <k  <i  + n, 

where  the  fk  are  functions.  A stream  cipher  is  defined  to  be  a rule  for  associating 
with  each  stream  (xl,  x2,  ...  , x,>j,  ...)  of  plaintext,  a stream (y^  y2,  ...,  y,,  yJ+1,  ...)  of 

cipher  text,  subject  to  the  restriction 

| fk(xk-n  + 1»  xk-n  + 2»  •"  ’ k n, 

)fk(x l»  *2*  - . **)>  k <n. 

In  addition,  yk  is  often  a function  of  certain  initial  conditions  in  the  enciphering  and  de- 
ciphering systems. 

Most  modem  cryptographic  systems  fit  into  these  two  broad  categories  or  represent 
a hybrid  of  these  two  ciphers.  For  example,  the  Vemam  or  one-time  system  is  a stream 
cipher  with  a data-independent  key;  thus,  yk  = /*(**). 

A special  case  which  aids  in  the  intuitive  understanding  of  the  preceding  ideas  is  the 
linear  data-keyed  cipher.  Figure  1 shows  an  implementation  of  a linear  data-keyed  cipher 
in  which  a four-stage  shift  register  of  type  D flip-flops  and  exclusive  OR  gates  are  used. 

For  each  distinct  setting  of  the  switches,  there  is  a different  enciphered  output  stream. 

The  corresponding  deciphering  system  is  shown  in  Fig.  2.  The  extra  flip-flop  is  included 
for  synchronization  purposes.  The  switches  must  be  set  in  the  same  manner  as  those  of 
the  enciphering  system.  A proof  of  this  statement  shall  now  be  given. 

We  define  p(t)  as  the  input  sequence  of  plain  bits  into  the  enciphering  system  and 
c(t)  as  the  corresponding  output.  Similarly,  Cj (f ) is  the  input  sequence  of  enciphered 
bits  into  the  deciphering  system,  and  pj(f)  is  the  corresponding  Output.  We  define  the 
operation  “+”  as  modulo-two  addition.  The  multiplication  is  defined  as  usual. 

The  operation  D is  defined  by  Dp(t)=p(t  - f0),  where  t0  is  defined  such  that  t - t0 
is  the  time  of  the  clock  pulse  immediately  preceding  the  time  t. 


2 

i 

I 

l 

8 


NRL  REPORT  7900 


CRYPTOGRAM 


Fig.  1 — Linear  data-keyed  enciphering  system 


CRYPTOGRAM 


CLOCK 


PLAINTEXT 


Fig.  2 — Linear  data-keyed  deciphering  system 


The  discrete  variables  s(  may  take  the  values  0 or  1,  depending  on  whether  the  cor- 
responding switch  in  the  enciphering  system  is  open  or  closed,  respectively.  The  discrete 
variables  sj  refer  to  the  deciphering  system  and  are  defined  analogously.  With  the  pre- 
ceding definitions  and  the  system  of  Fig.  1,  we  observe  that  during  steady -state  operation, 


K 


& 


c(t)=Dp(t)  + s4Dc(t)  + s3D2c{t)  + s2^3c(0  + Sjl>4c(f).  (1) 


Looking  at  Fig.  2,  we  can  write 


Px(f)  = Dcj(f)  + s\D2cx(t)  + sg/^cjff)  + s2D4cx{t)  + s\Dbc^t).  (2) 


In  modulo-two  arithmetic,  a + b = c implies  a = b + c.  Using  this  simple  fact,  Eq. 
(1)  yields 


Dp(t)  = c(f)  + s4Dc(t)  + s3D2c(t)  + s2D3c(t)  + s1D4c(t).  (3) 
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We  observe  that  Cj(/)  = c(t  - r),  where  r is  the  delay  due  to  transmission.  Suppose  «,• 
= Sj  for  i = 1,  2,  3,  4.  A comparison  of  Eqs.  (2)  and  (3)  then  indicates  that 


Pj(t)  =D*p(t  -r). 


(4) 


Thus  the  output  of  the  deciphering  system  is  a delayed  version  of  the  input  to  the  en- 
ciphering system.  The  proof  for  the  general  system  of  n shift-register  stages  is  analogous. 

In  the  absence  of  an  input,  the  system  of  Fig.  1 behaves  as  a pseudorandom  word 
generator.  The  maximum  length  of  the  output  sequence  before  pattern  repetition  is  2n 
- 1 bits,  where  n is  the  total  number  of  functioning  shift-register  stages.  The  maximum- 
length  sequence  will  occur  only  for  certain  switch  settings  and  only  if  the  initial  flip-flop 
states  are  not  all  zero.  For  example,  in  Fig.  1,  switch  SI  must  be  closed  if  a pseudo- 
random sequence  of  length  15  is  to  be  generated.  If  SI  is  open,  the  maximum  possible 
length  is  7.  If  n * 20,  a pseudorandom  sequence  of  over  a million  bits  in  length  may  be 
generated.  It  would  seem  that  enciphered  bits  produced  by  such  a system  would  be  un- 
decipherable with  less  than  2n  - 1 intercepted  bits;  cryptanalysis  would  be  hopeless  if 
n > 20.  However,  we  shall  show  that  the  key  can  be  broken  with  as  few  as  2n  bits. 

Consider  the  discrete  times  th  where  t)+1  = f,  + T,  and  T is  the  clock  (bit)  period. 

In  the  general  case,  we  have  the  following  steady-state  relations  analogous  to  Eq.  (3): 


Dp(t,)  = c(f,-)  + snDc(ti)  + ...+  sxDnc{ti), 


i = 1,  2,  ...  , n. 


(5) 


Since  Dc(t|+1)  = c(tj),  the  n equations  represented  above  contain  the  n unknown  values 
of  Sj  and  2n  values  of  c{t).  It  follows  that  it  is  possible,  under  the  appropriate  conditons 
and  with  knowledge  of  the  2n  values  of  c(t)  and  the  n values  of  Dp(tj),  to  solve  the  sys- 
tem of  equations  for  the  s{. 

As  an  example,  consider  the  case  where  n = 4.  Suppose  we  acquire  the  following 
sequences  of  plaintext  and  enciphered  bits: 


c(t,):  1 0 0 1 0 0 1 1 1 

Dp(tj):  10  10  10  10  1 


The  first  four  values  of  Dp(tj)  do  not  help  us,  since  we  cannot  construct  all  the  terms  on 
the  right  side  of  Eq.  (5).  As  a matter  of  fact,  Eq.  (5)  may  not  be  valid  for  the  first  four 
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values  of  Dp(tj)  since  we  have  not  been  told  whether  the  steady  state  has  been  reached 
If  the  clock  of  the  enciphering  system  has  just  started  at  fj,then  the  four  values  are  de- 
pendent on  the  initial  states  of  the  flip-flops.  From  the  second  set  of  n ~ 4 observations, 
Eq.  (5)  yields 


and 


1 = 84  + Sj, 

0 = s3, 

1 = 1 + s2, 

0 = 1 + s4  + Sj , 


(6) 

(7) 

(8) 

(9) 


which  imply  that  s2  ~ s3  = 0,  but  do  not  tell  us  uniquely  the  values  of  s4  and  s4 . If  we 
use  the  final  observation,  we  obtain 


1 = 1 + s4  + s3, 


(10) 


which  now  allows  us  to  assert  that  s4  * 0 and  s4  ”=  1.  Note  that  n + 1 = 5 known  plain 
bits  and  2n  + 1 = 9 enciphered  bits  were  used.  However,  if  we  had  originally  used  Eqs. 

(7)  — (10)  instead  of  Eqs.  (6)  — (9),  we  could  have  obtained  the  solution  with  n = 4 
known  plain  bits  and  2n  = 8 enciphered  bits.  Once  the  switch  settings  have  been  deter- 
mined, it  is  easy  to  solve  for  the  initial  states. 

If  the  switch  SI  is  open,  the  first  flip-flop  is  nonfunctional,  and  we  have  an  encipher- 
ing system  with  only  three  shift-register  stages.  However,  the  cryptanalyst  usually  does 
not  know  a priori  the  number  of  shift-register  stages.  Consequently,  he  must  allow  for  the 
largest  number  of  stages  possible  while  attempting  to  break  the  key. 

There  are  certain  bizarre  circumstances  under  which  the  key  cannot  be  broken, 
despite  an  indefinitely  long,  known  set  of  plain  and  enciphered  bits.  For  example,  sup- 
pose we  have  the  periodic  patterns 


and 


c(tj):  00110011...  0011 


Dp(tj):  00000000...  000  0. 


It  is  readily  verified  that  there  are  two  possible  solutions,  no  matter  how  many  of  these 
patterns  are  observed. 
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Since  it  readily  can  be  cracked  under  certain  circumstances,  the  linear  data-keyed 
cipher  is  not  a very  practical  system  for  high-security  purposes.  It  can  be  reasonably  ef- 
fective for  infrequent,  low-security  operations  if  the  number  of  stages  is  large  and  if  the 
user  is  careful  not  to  use  plaintexts  of  many  consecutive  zeros  or  ones,  too  systematic  a 
formatting  of  frames,  or  indications  of  where  words  start  and  end.  For  high-security  pur- 
poses, nonlinear  systems  based  on  operations  other  than  modulo-two  arithmetic  can  be 
designed  to  make  code  breaking  extremely  complicated  and  expensive.  A block  diagram 
of  a general  data-keyed  enciphering  or  deciphering  system  is  shown  in  Fig.  3. 


INPUT 


SHIFT 

REGISTER 

f ' 

^ ^ 1 KEY  BITS 

COMBINER 

OUTPUT 


Fig.  3 — General  data-keyed  enciphering  or 
deciphering  system 


In  any  digital  communication  system,  the  transmitted  bits  and  words  have  certain 
error  rates.  Except  for  stream  ciphers  with  data-independent  keys,  encipherment  causes 
these  error  rates  to  increase  if  other  system  parameters  remain  unchanged.  In  block  ci- 
phers, each  deciphered  bit  is  a function  of  all  the  transmitted  enciphered  bits  in  the  cor- 
responding block.  Therefore  a single  erroneous  received  bit  is  practically  certain  to  cause 
many  erroneous  deciphered  bits.  For  the  data-keyed  system  of  Fig.  3,  the  degradation  is 
due  to  the  presence  of  the  shift  register.  A received  bit  error  due  to  random  noise  is  car- 
ried through  the  shift  register,  causing  additional  bit  errors  down  the  line.  We  shall  obtain 
quantitative  measures  of  the  degradation  for  general  stream  and  block  ciphers. 

It  can  be  verified  easily  that  the  roles  of  Figs.  1 and  2 can  be  interchanged;  that  is, 
the  system  of  Fig.  2 could  serve  as  an  enciphering  system  with  the  system  of  Fig.  1 as  the 
corresponding  deciphering  system.  However,  this  choice  is  not  a good  one  for  a practical 
communication  network,  since  a single  bit  error  at  the  input  of  Fig.  1 will  cause  an  in- 
definite number  of  further  errors  at  the  output.  In  the  original  configuration,  only  four 
output  bits  at  most  are  affected  by  a single  input  bit  error  at  the  deciphering  system. 


ERROR-RATE  BOUNDS  FOR  STREAM  CIPHERS 

We  shall  desigr  ate  by  Pb  the  probability  of  bit  error  for  an  unenciphered  communi- 
cation system.  We  shall  assume  that  the  bit  errors  resulting  from  transmission  occur  in- 
dependently of  each  other.  It  follows  that  the  word  error  rate  is 


Pw  * 1 - (1  - Pb)k  , 


(11) 


I 
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where  k denotes  the  number  of  bits  per  word.  We  now  investigate  what  happens  when 
a stream  cipher  is  added  to  the  communication  system. 

Suppose  an  enciphered  bit  is  erroneously  received  as  a result  of  random  noise  or 
other  interference.  As  the  erroneous  bit  proceeds  through  the  deciphering  system,  each 
of  n consecutive  output  bits  will  be  affected.  We  define  a train  to  be  this  set  of  n con- 
secutive bits  emerging  from  the  deciphering  system.  For  a stream  cipher  with  a data- 
independent  key,  n = 1.  For  a data-keyed  cipher,  n > 1. 

The  k bits  of  an  enciphered  word  entering  the  deciphering  system  shall  be  referred 
to  as  the  input  word.  The  corresponding  k plain  bits  emerging  from  the  deciphering  sys- 
tem shall  be  designated  the  output  word.  The  probability  of  a word  error,  Pcw , is  defined 
to  be  the  probability  of  one  or  more  erroneous  bits  in  the  output  word.  We  shall  say  that 
a train  is  of  external  origin  with  respect  to  an  output  word  if  the  first  bit  of  the  train 
occurs  before  the  first  bit  of  the  word.  The  joint  probability  of  a word  error  and  a train 
of  external  origin  extending  into  the  word  is  denoted  by  P(w,  t ).  If  no  train  of  external 
origin  extends  into  the  word,  the  conditional  probability  of  word  error  is  denoted  by 
P(ie|7).  The  probability  that  a train  of  external  origin  does  not  extend  into  a word  is  de- 
noted by  P(7).  With  these  definitions  and  notation,  we  now  derive  a decomposition  which 
will  be  useful  in  our  analysis  of  stream-cipher  error  rates. 

From  the  theorem  of  total  probability, 


Pcw  = P(w,  t)  + P(w\t  )P(1). 


A train  w 11  extend  into  an  output  word  if,  and  only  if,  one  of  the  n - 1 input  bits 
immediate. y preceding  the  corresponding  input  word  is  in  error  due  to  random  noise. 
Thus,  assuming  bit  errors  are  independent. 


P(i)  = (1 


When  no  train  is  present,  an  error  in  one  of  the  bits  of  the  input  word  causes  an  error  in 
the  corresponding  bit  of  the  output  word.  Thus  P(w\t)  is  the  same  as  the  probability  of 
a word  error  fur  plaintext;  that  is, 


P(w\t)  = 1 - (1  - Pb )*. 


To  determine  P(w,  t),  additional  notation  must  be  introduced.  If  i bits  of  a train  of 
external  origin  extend  into  a word,  we  denote  this  condition  by  the  symbols  tb  = i.  For 
example,  P(tb  = i ) denotes  the  probability  that  a word  contains  i externally  generated  train 
bits.  Since  P(w,  t\tb  = i)  = P(w\tb  = i),  we  can  write 


I 


r 


i 

i 

i 

t 
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P(w,  f)  = Phu\tb  = k)P(tb  = k) 


P(w\tb  = i)P(tb  = i). 


(15) 


If  at  least  one  of  the  n - k bits  preceding  the  corresponding  input  word  is  in  error 
and  n > k,  it  is  clear  that  tb  = k.  Thus 


P(tb  = ft)  = 


(l  - (1  - Pb)n  k> 

)o, 


n > ft; 
n<k. 


(16) 


For  tb  - i,  where  1 < i < k,  it  is  necessary  that  there  be  an  error  precisely  n - i bits 
prior  to  the  word  bu  no  erroneous  bits  among  the  next  n - i - 1 bits.  Therefore,  for 
1 < / < ft. 


P(tb  = 0 = 


pb(  1 - 

o. 


n > i; 
n < i. 


(17) 


Substitution  of  Eqs.  (13)  through  (17)  into  Eq.  (12)  yields  the  decomposition 


Pcw  = P(w\tb  =k)  [l  - (1  - n)n"k]  “(«  - fe) 


min(k-l  ,n- 1 ) 

+2^  P(w\tb  = i)F6(l  - Pfc)"-*'-^  [l  - (1  - P6)k](l  - P*,)"-1, 

i«l 


(18) 


where  u(n  - k)  is  a step  function,  that  is,  u(n  - ft)  is  0 for  n < k and  is  1 for  n > ft. 
Note  that  in  the  summation  term,  i extends  to  the  least  of  the  two  integers  ft  - 1 and 
n - 1. 

To  evaluate  the  decomposition,  the  exact  configuration  of  the  cryptographic  system 
has  to  be  specified.  However,  a tight  upper  bound  can  be  obtained  by  simply  observing 
that  P(w\tb  = ft)  and  P(w\tb  = i)  must  be  less  than  unity.  Therefore 

min(k~  1,  n-1 ) 

Pcw  <[l-fl-  P6y*]u(n  - ft)  pb0  - Pb)"-"1 

i-l 

+ [l  -(1  -P6)*]  (1  -P^"-1  (19) 
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After  some  algebraic  simplification,  Eq.  (19)  reduces  to  the  compact  expression 


pcw  < i - (i  (20) 

We  shall  now  show  that  there  is  a simpler  bound 

Pcw  < (n  + k - 1 )Pb.  (21) 

Consider  the  function  of  Pb  defined  by 


y = (n  + k - l)Pfc  - 1 + (1  -Pb)"+*~>.  (22) 

Clearly  y is  zero  at  Pb  = 0.  Since  n + k > 2,  y has  a nonnegative  derivative  for  all  Pb  such 
that  0 < Pb  <1.  Thus  for  all  possible  Pb,  y > 0.  We  conclude  that 


(rH-k-l)Pb>l-(l-Pb)n  + *-l.  (23) 

Combining  Eqs.  (20)  and  (23)  yields  Eq.  (21). 

Using  k = 1 in  Eq.  (21),  we  obtain  the  companion  inequality 

Pcb  < nPb.  (24) 

A binomial  expansion  indicates  that  the  bound  of  Eq.  (21)  is  almost  as  tight  as  the  bound 
of  Eq.  (20)  if 


Pb  « 2(n  + k - 2)"1,  n + k>  2.  (25) 

ENSEMBLE-AVERAGE  ERROR  RATES  FOR  STREAM  CIPHERS 

A second  measure  of  error-rate  performance  is  obtained  by  considering  ensembles  of 
stream  ciphers  characterized  by  a specific  value  of  the  parameter  n.  In  what  follows,  we 
indicate  an  ensemble  average  by  a bar  over  the  P.  Let  the  symbol  X denote  the  ensemble- 
average  probability  that  a bit  which  is  part  of  a train  of  external  origin  is  in  the  correct 
state.  Before  deriving  an  expression  for  Pcw  we  shall  first  investigate  what  value  X 
mi#it  have. 

For  linear  systems,  X is  one-half,  independent  of  the  input  word  and  the  other  out- 
put bits.  This  statement  is  also  true  if  a bit  is  simultaneously  part  of  two  or  more  trains. 
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To  see  the  truth  of  this  assertion,  consider  the  linear  system  of  Fig.  2.  Suppose  that 
after  n correct  input  bits,  an  erroneous  input  hit  is  received.  The  corresponding  output 
hit  is  then  in  error,  and  a train  is  started,  Over  the  ensemble  of  deciphering  systems  of 
the  form  of  Fig.  2,  it  is  equally  likely  that  S4  will  be  open  or  closed.  If  S4  is  closed  and 
the  nnxt  input  bit  is  correct,  it  is  seen  that  the  next  output  bit  is  in  error.  Similarly,  if 
S4  is  open  and  the  next  input  bit  is  in  error,  the  next  output  bit  is  in  error.  Thus  if  the 
next  input  I it  has  an  error  probability  Ph,  the  error  probability  of  the  next  output  bit 
is  (1/2)  (1  - Pb)  + (1/2)P{,  = 1/2.  Continuing  this  reasoning  leads  to  the  conclusion  that 
X = 1/2. 

It  is  believed  that  X is  one-half  with  respect  to  the  ensemble  of  all  possible  stream 
ciphers,  independent  of  the  input  word  and  the  other  output  bits.  Referring  to  Fig.  3, 
notice  that  over  the  ensemble  an  enciphered  input  can  be  applied  simultaneously  to  any 
number  of  the  shift-register  stages  and  combiner  elements.  Also,  any  number  of  the 
shift-register  outputs  can  feed  the  combiner.  Because  of  the  nonlinear  operation  of  the 
combiner,  an  error  in  one  or  more  of  the  bits  feeding  it  may  or  may  not  produce  an  er- 
roneous key  bit.  Thus  in  the  ensemble  there  are  deciphering  systems  in  which  a single 
erroneous  input  bit  causes  several  bad  bits  to  be  fed  into  the  combiner  during  most  of 
the  key  production,  and  the  nonlinear  operation  causes  the  subsequent  bit  error  rate  to 
be  greater  than  one-half.  Clearly,  in  the  ensemble  there  are  other  systems  about  which 
the  opposite  is  true. 

Although  X is  one-half  for  the  complete  ensemble  of  all  possible  stream  ciphers,  it  is 
possible  that  for  a subset  of  nonlinear  stream  ciphers,  X is  different  than  one-half  with 
respect  to  the  restricted  ensemble.  However,  the  most  important  practical  stream  cipher 
subset  is  the  subset  of  secure  ciphers,  that  is,  those  systems  for  which  cryptanalysis  is 
very  difficult.  Setting  X equal  to  one-half  for  this  subset  is  an  excellent  approximation. 

When  k = 1,  P(u;|t6=&)  = 1 - X.  Thus  it  follows  from  Eq.  (18)  that 

Pcb  = (1  - X)  [l  - (1  - Pfc)"  -1]  + Pb(  1 - V1.  (26) 

In  this  equation  we  have  kept  the  unspecified  parameter  X because  its  retention  does  not 
complicate  the  expression  significantly.  However,  for  the  reasons  mentioned  and  to  facil- 
itate the  derivation,  we  shall  always  assume  X = 1/2  in  determining  the  ensemble-average 
word  error  rate. 

We  denote  the  condition  that  one  or  more  of  the  first  /_bits  of  an  input  word  is  in 
error  by  the  symbol  a and  the  absence  of  the  condition  by  a.  Using  the  theorem  of 
total  probability,  we  can  write 

P (u;|(6  = i)  = P (le.aitb  = i)  + P (w,a  \tb  = i).  (27) 

If  tb  = i,  the  ensemble-average  probability  of  no  error  in  the  first  i output  bits  is  (1/2)', 
independent  of  the  input  bits  and  the  other  output  bits.  If  a is  false  and  tb  = i,  the  last 
k - i output  bits  are  not  part  of  a train  generated  by  the  first  i bits.  Consequently  the 
first  error  in  the  last  k - i input  bits  is  added  to  a good  key  bit.  Therefore,  the  probability 
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of  no  error  in  the  last  k - i output  bits  is  equal  to  the  probability  of  no  error  in  the  cor- 
responding input  bits.  We  conclude  that 


P(w\tb=i,  a)  = 1 - 2-*(l  - Pb)k 
From  the  independence  of  bit  errors,  we  have 


P(a\tb  = 0 = ( 1 - Pby. 


(28) 


(29) 


From  the  definition  of  a conditional  probability  and  Eqs.  (28)  and  (29), 


P(w,a\tb  = i)  = ( 1 - PbY  - 2''(  1 -Pb)k.  (30) 

In  almost  all  practical  systems,  we  have  n > k.  Thus,  deferring  consideration  of  the 
more  complicated  general  case  until  later,  we  assume  that  n > k and  determine 
P(u\a|ib  = i)  in  a manner  similar  to  the  derivation  of  Eq.  (30).  Clearly 


P(a\tb  = l)  = 1 - ( 1 - Pby.  (31) 

If  a is  true,  n > k,  and  tb  = i,  then  every  output  bit  is  part  of  a train.  Consequently  the 
ensemble-average  probability  of  no  error  for  each  output  bit  is  1/2,  independent  of  the 
other  output  bits.  It  follows  that 

P(w\(b  = i,  a)  = 1 - 2~k,  n>  k.  (32) 

From  the  definition  of  a conditional  probability  and  using  Eqs.  (30),  (31),  and  (32)  in 
Eq.  (27),  there  results 

P (w\tb  =/)=l-  2-*(  1 - Pb)k  - 2~k  [l  - (1  - Pb)']  , n > k.  (33) 

From  this  relation  or  by  direct  reasoning  it  follows  that  for  n > k, 

P (w|*6  = /?)=!-  2"*.  (34) 


Substitution  of  Eqs.  (33)  and  (34)  into  Eq.  (18)  gives  the  ensemble-average  word  error 
rate.  After  performing  two  easy  summations  and  regrouping,  we  obtain 

Pew  = 1 - 2-*  +*2-*Pb(  1 -Pb)n  - 1 - ( 1 - Pb)n+k-  1 


+ 2'k 


k-l 


i -pb)n  2'ipb  ( 1 -v*-1-*. 

i=  1 


(35) 
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Although  we  shall  soon  apply  it  in  the  present  form,  this  equation  can  be  made  slightly 
more  convenient  for  computation  by  performing  the  remaining  summation  to  obtain,  for 
n>  k, 

(1  -_Pbr  [d  -Pb)k  - 
1-2 Pb 

U - 2-fc  , Ph  = 1/2. 


2'*1 

— Pb  t 1/2;  (36) 


P 

’ cw 


l-2'k  + k2'kPb(l-Pb) 


Tliis  formula  is  still  tedious  to  use  in  manual  computations.  Fortunately,  a simple  asymp- 
totic expression  is  highly  accurate  over  the  usual  range  of  interest.  The  approximation  can 
be  obtained  by  employing  a Taylor-series  expansion  about  the  point  Pb  - 0 and  dropping 
the  higher  order  terms.  However,  the  condition  for  the  validity  of  this  procedure  is  too 
complicated  for  quick  verification.  Consequently,  we  use  an  alternative  method  which 
yields  a simple  sufficient  condition  of  validity.  Each  of  the  factors  in  Eq.  (35)  of  the 
form  (1  - Pb)m  is  approximated  by  1 - mPb\  a sufficient  condition  for  this  approximation 
is  Pb  « 2 (m  - 1)_1  if  m > 1.  Each  factor  of  the  form  Pb(  1 - Ph)m  is  approximated  by 
Pb\  a sufficient  condition  for  this  approximation  is  Pb«  m-1  if  m > 0.  With  these  ap- 
proximations and  some  algebraic  simplification,  Eq.  (35)  reduces  to 

Pcw  88  ♦ * - 2 - 2-k  (n  - k - 2)J  Pb,  n ^ k.  (37) 

Combining  all  the  conditions  which  arise,  it  is  found  that  the  single  condition 

Pb  « (n  + k - 2)"1 , n + k > 2,  (38) 

suffices;  that  is,  Eq.  (38)  is  a sufficient  condition  for  the  validity  of  Eq.  (37).  Using  the 
same  method  on  Eq.  (26),  we  obtain 


Pcb  *[n(  1 -X  ) + Xyb. 

For  later  comparison,  we  note  that  the  asymptotic  form  of  Eq.  (11)  is 

Pw  * *P. 


(39) 


(40) 


It  is  readily  verified  that  Eq.  (38)  is  also  a sufficient  condition  for  the  validity  of  Eqs. 

(39)  and  (40). 

To  include  the  possibility  that  n < k,  we  must  employ  more  intricate  reasoning.  Let 
the  symbol  0 = / designate  the  condition  that  the  last  bit  error  among  the  first  i input 
bits  occurs  at  input  bit  /,  where  1 </<«'.  If  (3  = /,  then  a is  true;  thus  we  make  the 
decomposition 
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P{iv,a\tb  - i)  =^>  P(w\tb  = i,  0 = l)P((J  = l\tb  = i). 
/=  1 


(41) 


Clearly  the  probability  of  0 = /,  given  tb  = i,  is  equal  to  the  probability  that  input  bit  / 
is  erroneous  and  input  bits  l + 1 through  i are  correct.  We  conclude  that 

PW  = l\tb  = i ) = Pb(  1 - 1 < / < i.  (42) 

When  tb  = i,  the  probability  that  the  first  i output  bits  are  correct  has  an  ensemble  aver- 
age equal  to  2~‘.  The  probability  that  the  last  k - i output  bits  are  correct  depends  only 
on  the  condition  0 = /.  which  implies  that  a train  of  n + / - i - 1 bits  extends  into  the 
final  k - i bits.  Let  wk  denote  an  error  in  a word  consisting  of  k - i output  bits.  From 
the  previous  discussion  it  follows  that 


P(w\tb  - f,  0 - /)  - 1 - 2“'  [l  - = n + / - i - 1)]  . (43) 

Substituting  Eqs.  (42)  and  (43)  into  Eq.  (41)  gives 

i 

P(w,  a\tb  = 0 = Pb^(  1 - Pby-1  [l  - 2-'  + 2-‘  P(iefe_,|fb  = n + Z - ( - 1)J  . ( 44) 

/=  l 


Using  Eqs.  (44)  and  (30)  in  Eq.  (27),  we  obtain 

P{w\tb  = i)  = 1 - 2"'(1  - Pb)k  - 2“'  [l  - ( 1 - Pb )'] 


+ 2-‘Pb  2^(1  - Pbr‘  Piivt^tb  = n + / - i - 1).  (45) 

/«  1 


This  expression  is  valid  for  all  n.  When  n>  k,  F(wk  _ Ifb  = n + / - i - 1)  * 1 - 
independent  of  /.  Consequently  Eq.  (45)  reduces  to  Eq.  (33).  However,  when  n < k, 
P(wk~j\tb  = n + l - i - 1 ) must  be  evaluated  by  the  same  procedure  as  that  leading  to  Eq. 
(45)  itself.  In  general,  we  have  a finite  hiearchy  of  equations,  with  the  number  of  equa- 
tions depending  on  k - n.  The  general  ensemble-average  cryptographic  word-error-rate 
formula  follows  on  substitution  of  Eqs.  (34)  and  (45)  into  Eq.  (18). 

To  obtain  an  asymp‘.otic  expression  for  Pcw  when  n < k^we  note  that  the  last  term 
in  Eq.  (45)  does  not  contribute  to  the  final  equation  even  if  P(wb  _ /I  tb-n  + l-  i-1  ) 

= 1.  Tnen,  applying  the  method  described  previously  to  Eqs.  (45)  and  (18),  we  obtain 
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Pcw  *[n  + fc  - 2 (1  - 2"*)]p&,  n < k,  (46) 

where  Eq.  (38)  provides  a sufficient  condition. 


ERROR-RATE  BOUNDS  AND  ENSEMBLE  AVERAGES 
FOR  BLOCK  CIPHERS 

In  the  conventional  block  cipher,  a plaintext  block  of  m total  bits,  comprising  an 
integral  number  of  words  of  k bits  each,  is  enciphered  as  a block  of  n total  bits.  After 
transmission  and  reception,  the  plaintext  block  is  restored  as  the  output  of  the  decipher- 
ing system.  Clearly  no  output  words  will  be  in  error  unless  the  received  enciphered  block 
contains  an  error  in  at  least  one  of  its  n bits.  Thus  we  can  write 

Pcw  = P(w\be)[l  - ( 1 -Pby]  , (47) 

where  P(w\be)  is  the  probability  of  an  error  in  an  output  word,  given  that  there  is  a block 
error  at  the  input  of  the  deciphering  system.  Setting  P(w\be)  - 1 and  using  Eq.  (23),  we 
see  that  Eq.  (47)  yields  the  upper  bound  given  by 

Pcw  < nPb  (48) 

If  k > 1,  this  upper  bound  is  less  than  the  correspond)  ig  upper  bound  for  the  stream 
cipher,  given  by  Eq.  (21).  Since  the  parameter  k does  not  appear  in  Eq.  (48),  the  right 
hand  side  provides  an  upper  bound  for  Pcb  also.  For  Pcb  the  upper  bound  is  the  same  as 
that  indicated  in  Eq.  (24)  for  the  stream  cipher. 

Usually  block  ciphers  do  not  involve  a size  change,  that  is,  n = m.  We  proceed  to 
obtain  the  ensemble-average  cryptographic  error  rates  for  this  case.  Due  to  the  one-to- 
one  correspondence  between  the  enciphered  and  plaintext  blocks,  an  error  in  a received 
enciphered  block  is  certain  to  cause  at  least  one  erroneous  bit  in  Uk  output  block.  Con- 
sequently, over  the  ensemble  of  block  ciphers  there  are  2n  - 1 equally  likely  output 
blocks  corresponding  to  an  erroneous  enciphered  block.  Consider  any  fixed  bit  in  these 
output  blocks.  In  2n_1  - 1 of  the  possible  output  blocks,  this  bit  will  be  correct,  that 
is,  in  the  same  state  it  would  have  been  if  no  error  had  occurred  in  the  enciphered  block. 
We  conclude  that  given  a block  error,  there  is  an  ensemble  average  probability  that  a bit 
is  correct  equal  to  (2n_1  - 1 )|(2n  - 1).  Consider  a second  fixed  output  bit.  Given  that 
there  is  a Llock  error  and  that  the  first  fixed  output  bit  is  correct,  it  follows  from  an  ex- 
tension of  the  previous  reasoning  that  there  is  an  ensemble-average  probability  that  the 
second  fixed  bit  is  correct  equal  to  (2n-2  - 1 )|(2" - 1 - 1).  If  xlt  x2,  ...  x„  are  events, 
the  probability  of  all  these  events  can  be  described  as  follows: 

P(x ,.x2 *„)  = 1 *i>  - . P(x2|xi)P(Xi).  (49) 

Using  Eq.  (49)  and  repeating  our  analysis  for  successive  output  bits,  we  conclude  that 
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P(u>\be)  = 1 - 


k 

n 

i-i 


2n~i  . 1 


2n  * 1 - 1 


2”(  1 - 2~k) 
2n  - 1 


(50) 


Combining  this  relation  with  Eq.  (47),  wp  obtain  the  ensemble-average  cryptographic  word 
error  rate  for  block  ciphers 

Pcw  = ( 1 - S'")'1  ( 1 - 2'*)  [l  - ( 1 - Pb)n]  . (51) 

The  ensemble-average  cryptographic  bit  error  rate  for  block  ciphers  is 

Fcb  =1/2(1-  2-")'1  [l  - ( 1 - Pb)n ] . (52) 

Under  the  condition  that 


P6«2(n-1)-1,  (53) 

we  obtain  the  asymptotic  formulas 


Pcb  Ml-2-")-l *Pb  (54) 

and 

Fcw  * (1  - 2"T1(1  - 2~k)nPb.  (55) 

Although  these  formulas  hold  for  all  values  of  n and  k,  it  should  be  remembered  that 
n > 4fe  is  usually  required  to  safeguard  against  the  frequency  analysis  of  block  patterns. 
We  shall  compare  the  error  rates  of  block  and  stream  ciphers  in  the  next  section. 


DEGRADATION  DUE  TO  CRYPTOGRAPHY 

The  bit  error  rate  for  ordinary  transmission  is  a function  of  the  modulation  system. 
For  most  modulation  systems,  when  white  Gaussian  noise  is  present,  the  bit  error  rate 
has  the  functional  form  specified  by 


where  f is  a function,  N0  is  the  noise  power  spectral  density,  and  Eb  is  the  mean  energy 
for  a bit  in  the  one  state.  If  this  equation  is  substituted  into  Eqs.  (26)  and  (36),  or  Eqs. 
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(51)  and  (52),  there  result  formulas  in  terms  of  Eb.  By  comparing  these  formulas  with 
Eqs.  (11)  and  (56),  we  can  determine  the  increase  in  Eb  required  to  obtain  the  same  er- 
ror rate  from  a cryptographic  system  as  the  corresponding  plaintext  system.  This  increase 
provides  a quantitative  measure  of  cryptographic  degradation.  Let  Pc'w  denote  either  Pcw 
or  the  upper  bound  of  Pcw.  Then  the  degradation  in  decibels  is  defined  to  be 


^'b  PJb 

D=  10iog10 10  logio  — ~ = 10  log)0  — — , (57) 

*0  No  h 

where  Eb  is  the  energy  required  to  produce  a value  of  P'cw  which  is  equal  to  the  value  of 
Pw  when  the  energy  is  Eb. 

As  an  example,  suppose  we  wish  to  calculate  the  degradation  of  the  ensemble-average 
bit  error  rate  of  a block  cipher  relative  to  the  plaintext  bit  error  rate.  Suppose  Eq.  (56) 
is  plotted  empirically.  Then  we  can  also  plot  Eq.  (52).  For  each  value  of  P we  can  read 
a value  of  Eb/N0  from  the  first  plot  and  a value  of  Eb/N0  corresponding  to  Pcb  - Pb  from 
the  second  plot.  Substitution  into  Eq.  (57)  yields  D. 

Rather  than  employ  the  graphical  method,  it  is  often  convenient  to  have  a simple 
approximate  formula  for  degradation.  To  derive  such  a formula,  note  that  with  the  help 
of  Eq.  (40)  all  our  asymptotic  error  rate  bounds  and  ensemble  averages  can  be  written  in 
the  form 

P'cw=  g(n,k)Pw,  (58) 

where  g(n,  k)  is  the  corresponding  function  of  the  parameters  n and  k.  According  to  the 
definition  of  Eb,  it  is  implicitly  related  to  Eb  by 

P'cw(E'b)  = Pw(Eh).  (59) 

Combining  Eqs.  (40),  (56),  (58),  and  (59),  it  follows  that  the  degradation  can  be  deter- 
mined analytically  by  solving 


For  conventional,  ideal,  coherent  modulation  systems,  we  can  write 
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where  c is  a constant  depending  on  the  modulation  type.  This  relation  depends  on  the 
asymptotic  approximation 


f 

\ 


erfc  (x)  = 


.-i-  f 

y/2ii  J x 


exp  - 


dx 


exp  - 


(62) 


which  can  be  employed  with  negligible  error  when  cEb/N0  > 10.  For  conventional,  ideal, 
noncoherent  modulation  systems,  we  can  write 


(63) 


where  no  approximation  is  necessary.  For  coherent  phase-shift-keyed  (PSK),  coherent 
quadriphase-shift-keyed  (QPSK),  and  noncoherent  (differential)  PSK  modulation,  we  have 
o = 2.  For  coherent  and  noncoherent  amplitude-shift-keyed  (ASK)  modulation,  we  have 
c - 1/2. 


Substituting  Eq.  (61)  into  both  sides  of  Eq.  (60),  taking  the  natural  logarithm,  and 
rearranging,  we  obtain 


In  g(n,  k ) 


(64) 


We  now  approximate  the  right-hand  side  by  the  first  term  in  a Taylor-series  expansion; 
that  is,  we  use 


which  is  reasonably  accurate  if 

Ef 

< 1.5.  (66) 

Substituting  Eq.  (65)  into  Eq.  (64),  solving  for  E'b/Eb,  and  employing  the  result  in  Eq.  (57), 
we  obtain 


DC 


10  log10 


2 In  g{n,k) 
cEl 


(67) 
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where  the  subscript  C is  a reminder  that  this  formula  holds  for  coherent  modulation  sys- 
tems. Using  our  solution  of  Eq.  (64)  in  Eq.  (66),  the  condition  for  thj  accuracy  of  Eq. 
(67)  becomes 


^ b 4 In  g{n,  k)  - 1 

No  > 7 


168) 


For  noncoherent  modulation  systems,  we  obtain  in  a similar  manner 


Du  = 10  log 


10 


1 + 


2 In  g(n,  fe) 

cJb 

Nn 


(69) 


Equation  (69)  is  exact,  since  neither  Eq.  (62)  nor  Eq.  (68)  is  required  to  derive  it.  The 
expressions  for  Dc  and  DN  and  Eqs.  (61)  and  (63)  indicate  that,  for  a fixed  plaintext 
word-error-rate,  the  degradation  is  a function  of  coherency  rather  than  specific  modula- 
tion type.  In  other  words,  the  three  basic  types  of  coherent  systems  have  the  same  deg- 
radation, and  the  two  basic  types  of  noncoherent  systems  have  the  same  degradation. 


The  degradation  equations  facilitate  comparison  between  block  ami  stream  ciphers. 
An  important  observation  is  that  for  most  practical  values  of  n and  Pb,  the  ensemble- 
average  bit-error-rate  of  block  ciphers  is  nearly  the  same  as  that  of  stream  ciphers  with 
X = 1/2. 


To  illustrate  some  other  aspects  of  block  and  stream  ciphers,  an  example  of  nonco- 
herent system  degradation  shall  be  studied.  Combining  Eqs.  (40),  (63),  and  (69),  we  have 


JN  - 10  log10 


In  g(n,  k) 


(70) 


Figures  4 and  5 are  plots  of  this  equation  with  respect  to  bit  and  word  ensemble-average 
error  rates  when  n = 50.  In  Fig.  4 we  set  k = 1 and  Pw  = Pb,  and  plot  DN  as  a function 
of  Pb.  The  function  #(g,  k)  is  determined  by  Eq.  (54)  for  block  ciphers  and  by  Eq.  (39) 
for  stream  ciphers.  In  Fig.  5 we  set  k = 10  and  plot  DN  as  a function  of  Pw.  The  func- 
tion g(n,  k)  is  determined  by  Eqs.  (40)  and  (55)  for  block  ciphers  and  Eqs.  (37)  and  (40) 
for  stream  ciphers.  It  is  seen  that  stream  ciphers  with  X = 3/4  cause  somewhat  less  bit- 
error-rate  degradation  than  the  block  ciphers.  However,  the  word -error-rate  degradation 
due  to  block  ciphers  is  lower  than  that  of  stream  ciphers  with  X = 1/2  over  the  range  of 
interest.  In  Figs.  6 and  7 we  see  the  effects  of  increasing  the  parameter  n when  Pb  or 
Pw  is  fixed.  Since  n is  a measure  of  the  security  of  the  cryptographic  system,  it  appears 
that  the  price  paid  in  degradation  for  increased  security  is  not  exorbitant.  An  interesting 
observation  is  that  the  ensemble-average  word-error-rate  degradations  of  block  and  stream 
ciphers  converge  as  n increases. 
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Fig.  7 — Degradation  of  word  error  rate  a«:  a function 
of  n for  a noncoherent  system  with  Pw  = 10'“*  and 
k = 10. 


A comparison  between  Eqs.  (48)  and  (55)  reveals  that  no  member  of  a block-cipher 
ensemble  suffers  significantly  more  word-error-rate  degradation  than  the  ensemble  average 
for  n > 3,  k > 3,  and  most  practical  values  of  Pb.  However,  one  or  more  members  of  a 
block-cipher  ensemble  may  endure  considerably  greater  bit-error-rate  degradation  than  the 
ensemble  average.  For  example,  with  coherent  PSK  modulation  and  n = 60,  it  follows 
from  Eq.  (67)  that  some  member  of  the  associated  block-cipher  ensemble  may  have  an 
extra  bit-error-rate  degradation  ranging  from  approximately  0.3  dB  to  0.2  dB  as  Ph  varies 
from  10~3  to  10-6.  Similar  statements  can  be  made  for  stream-cipher  ensembles  when 
X=  1/2. 

Suppose  a cryptographic  system  is  provided  with  the  additional  power  necessary  to 
obtain  the  same  word  error  rate  as  the  corresponding  plaintext  system.  The  question 
arises  as  to  whether  the  performance  of  the  cryptographic  system  is  now  as  good  as  that 
of  the  plaintext  system.  To  answer  this  question,  note  that  a word  error  in  a plaintext 
system  usually  involves  one  or  two  erroneous  bits.  On  the  other  hand,  a cryptographic 
word  error  usually  implies  many  erroneous  bits.  Relative  performance  must  be  evaluated 
by  determining  the  additional  cost,  if  any,  of  multiple  bit  errors  within  an  erroneous 
word. 
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